1. Purpose and Scope
    1. KCN has established a Confidentiality and Data Protection policy in accordance with the Data Protection Act 1998. It incorporates protocols for : principles of good practice, recording and disposal of personal information; keeping data secure. 
  1. The procedures in this document are to ensure compliance with statutory and insurance requirements for the retention, safe storage and disposal of confidential personal and financial information held in KCN databases, for both electronic and hard-copy versions. They do not deal with the collection and usage of such data. 
  1. The scope of the information relates to two separate categories in KCN’s records : 

(1)  KCN management records :

Financial and legal records,

Staff salary records

Maintenance and Health & Safety records

Policies & Procedures 

(2)  Personal information :                                           

            Trustee and volunteer personal records

Service user records 

  1. Storage and retention
  2. Records will be archived and stored in a manner which complies with statutes and regulations, and KCN’s linked policies and procedures. 
  1. KCN must assess the level of security for each category of information, including lockable facilities, both for current data and for archived data. 
  1. Members of staff and volunteer have a responsibility for safe storage of personal data that they handle in the course of their work, as per the guidance “KCN – Keeping Information Secure” (see Data Protection policy). 
  1. Personal information

Personal information, including sensitive information, is as defined in KCN’s Data Protection policy and in accordance with the Act. The Act does not specify minimum or maximum periods for retaining personal data, but under Principle 5 personal data should not be kept for longer than is necessary for the purpose for which it was obtained. KCN must assess why such information is held and for how long it is needed :

 

  • Trustee records - a period of > 5 <  years after their service has ended
  • Volunteer records - a period of > 5 < years after their service has ended.
  • Service user records - a period of > 10 < years after their service has ended
  • DBS Certificates – see separate policy

 

  1. Management records 

Guidance from the Charity Commission issued in line with the Charity Act 2006 , as amended by the Charity Act 2011, stipulates how long financial records should be kept. The minimum period is 6 years after the end of the present accounting period. 

  • Accounting and legal records will be archived   for > 10 < years. 
  • Final signed audited Published Accounts will be archived for > 10 < years. 
  • Maintenance, testing, and Health & Safety records will be archived for   > 7 < years. 
  • Employees records will be archived for > 20 < years. 
  • Policies & Procedures will be archived for > 7 < years. 
  1. Disposal of documents
  2. Personal data

Any document which may identify or allow identification of an individual by means of personal information must be shredded at the time of disposal. 

  1. Management data

All management data must be shredded at the time of disposal 

  1. Electronic data

Other media, e.g. laptops, tablets, memory sticks must have the data fully over-written, and if in doubt physically destroyed. 

Deleting files and/or folders held on work stations does not provide sufficient safeguard.

If computer hardware is to be disposed of, it must be “cleaned” by suitable software.